Copy ca-key.pem to etcd and kube-masters accordingly

6 years ago · 3fa7468d54
3 changed files with 6 additions and 1 deletions
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@ -57,6 +57,7 @@
    gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
    gen_ca_vault_headers: "{{ vault_headers }}"
    gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
+    gen_ca_copy_group: "etcd"
  when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed

 - import_tasks: gen_vault_certs.yml
--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
@ -32,6 +32,7 @@
    gen_ca_mount_path: "{{ vault_pki_mounts.kube.name }}"
    gen_ca_vault_headers: "{{ vault_headers }}"
    gen_ca_vault_options: "{{ vault_ca_options.kube }}"
+    gen_ca_copy_group: "kube-master"
  when: inventory_hostname in groups.vault

 - include_tasks: ../shared/auth_backend.yml
--- a/roles/vault/tasks/shared/gen_ca.yml
+++ b/roles/vault/tasks/shared/gen_ca.yml
@ -24,9 +24,12 @@
    mode: 0644
  when: vault_ca_gen.status == 200

- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key locally"
+
+- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key to necessary hosts"
  copy:
    content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
    dest: "{{ gen_ca_cert_dir }}/ca-key.pem"
    mode: 0640
  when: vault_ca_gen.status == 200
+  delegate_to: "{{ item }}"
+  with_items: "{{ (groups[gen_ca_copy_group|default('vault')]) | union(groups['vault']) }}"